richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5763 Commits
33 Branches
82 Tags
153 MiB
Tree: ae3a1d7c01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae3a1d7c01'
${ noResults }
kubespray/contrib/terraform/exoscale/modules/kubernetes-cluster/main.tf

193 lines
5.5 KiB
Raw Normal View History

Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
contrib/terraform/exoscale: Rework SSH public keys (#7242) * contrib/terraform/exoscale: Rework SSH public keys Exoscale has a few limitations with `exoscale_ssh_keypair` resources. Creating several clusters with these scripts may lead to an error like: ``` Error: API error ParamError 431 (InvalidParameterValueException 4350): The key pair "lj-sc-ssh-key" already has this fingerprint ``` This patch reworks handling of SSH public keys. Specifically, we rely on the more cloud-agnostic way of configuring SSH public keys via `cloud-init`. * contrib/terraform/exoscale: terraform fmt * contrib/terraform/exoscale: Add terraform validate * contrib/terraform/exoscale: Inline public SSH keys The Terraform scripts need to install some SSH key, so that Kubespray (i.e., the "Ansible part") can take over. Initially, we pointed the Terraform scripts to `~/.ssh/id_rsa.pub`. This proved to be suboptimal: Operators sharing responbility for a cluster risk unnecessarily replacing resources. Therefore, it has been determined that it's best to inline the public SSH keys. The chosen variable `ssh_public_keys` provides some uniformity with `contrib/azurerm`. * Fix Terraform Exoscale test * Fix Terraform 0.14 test
4 years ago
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
contrib/terraform/exoscale: Rework SSH public keys (#7242) * contrib/terraform/exoscale: Rework SSH public keys Exoscale has a few limitations with `exoscale_ssh_keypair` resources. Creating several clusters with these scripts may lead to an error like: ``` Error: API error ParamError 431 (InvalidParameterValueException 4350): The key pair "lj-sc-ssh-key" already has this fingerprint ``` This patch reworks handling of SSH public keys. Specifically, we rely on the more cloud-agnostic way of configuring SSH public keys via `cloud-init`. * contrib/terraform/exoscale: terraform fmt * contrib/terraform/exoscale: Add terraform validate * contrib/terraform/exoscale: Inline public SSH keys The Terraform scripts need to install some SSH key, so that Kubespray (i.e., the "Ansible part") can take over. Initially, we pointed the Terraform scripts to `~/.ssh/id_rsa.pub`. This proved to be suboptimal: Operators sharing responbility for a cluster risk unnecessarily replacing resources. Therefore, it has been determined that it's best to inline the public SSH keys. The chosen variable `ssh_public_keys` provides some uniformity with `contrib/azurerm`. * Fix Terraform Exoscale test * Fix Terraform 0.14 test
4 years ago
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
  1. data "exoscale_compute_template" "os_image" {
  2. for_each = var.machines
  4. zone = var.zone
  5. name = each.value.boot_disk.image_name
  6. }
  8. data "exoscale_compute" "master_nodes" {
  9. for_each = exoscale_compute.master
  11. id = each.value.id
  13. # Since private IP address is not assigned until the nics are created we need this
  14. depends_on = [exoscale_nic.master_private_network_nic]
  15. }
  17. data "exoscale_compute" "worker_nodes" {
  18. for_each = exoscale_compute.worker
  20. id = each.value.id
  22. # Since private IP address is not assigned until the nics are created we need this
  23. depends_on = [exoscale_nic.worker_private_network_nic]
  24. }
  26. resource "exoscale_network" "private_network" {
  27. zone = var.zone
  28. name = "${var.prefix}-network"
  30. start_ip = cidrhost(var.private_network_cidr, 1)
  31. # cidr -1 = Broadcast address
  32. # cidr -2 = DHCP server address (exoscale specific)
  33. end_ip = cidrhost(var.private_network_cidr, -3)
  34. netmask = cidrnetmask(var.private_network_cidr)
  35. }
  37. resource "exoscale_compute" "master" {
  38. for_each = {
  39. for name, machine in var.machines :
  40. name => machine
  41. if machine.node_type == "master"
  42. }
  44. display_name = "${var.prefix}-${each.key}"
  45. template_id = data.exoscale_compute_template.os_image[each.key].id
  46. size = each.value.size
  47. disk_size = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size
  48. state = "Running"
  49. zone = var.zone
  50. security_groups = [exoscale_security_group.master_sg.name]
  52. user_data = templatefile(
  53. "${path.module}/templates/cloud-init.tmpl",
  54. {
  55. eip_ip_address = exoscale_ipaddress.ingress_controller_lb.ip_address
  56. node_local_partition_size = each.value.boot_disk.node_local_partition_size
  57. ceph_partition_size = each.value.boot_disk.ceph_partition_size
  58. root_partition_size = each.value.boot_disk.root_partition_size
  59. node_type = "master"
  60. ssh_public_keys = var.ssh_public_keys
  61. }
  62. )
  63. }
  65. resource "exoscale_compute" "worker" {
  66. for_each = {
  67. for name, machine in var.machines :
  68. name => machine
  69. if machine.node_type == "worker"
  70. }
  72. display_name = "${var.prefix}-${each.key}"
  73. template_id = data.exoscale_compute_template.os_image[each.key].id
  74. size = each.value.size
  75. disk_size = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size
  76. state = "Running"
  77. zone = var.zone
  78. security_groups = [exoscale_security_group.worker_sg.name]
  80. user_data = templatefile(
  81. "${path.module}/templates/cloud-init.tmpl",
  82. {
  83. eip_ip_address = exoscale_ipaddress.ingress_controller_lb.ip_address
  84. node_local_partition_size = each.value.boot_disk.node_local_partition_size
  85. ceph_partition_size = each.value.boot_disk.ceph_partition_size
  86. root_partition_size = each.value.boot_disk.root_partition_size
  87. node_type = "worker"
  88. ssh_public_keys = var.ssh_public_keys
  89. }
  90. )
  91. }
  93. resource "exoscale_nic" "master_private_network_nic" {
  94. for_each = exoscale_compute.master
  96. compute_id = each.value.id
  97. network_id = exoscale_network.private_network.id
  98. }
  100. resource "exoscale_nic" "worker_private_network_nic" {
  101. for_each = exoscale_compute.worker
  103. compute_id = each.value.id
  104. network_id = exoscale_network.private_network.id
  105. }
  107. resource "exoscale_security_group" "master_sg" {
  108. name = "${var.prefix}-master-sg"
  109. description = "Security group for Kubernetes masters"
  110. }
  112. resource "exoscale_security_group_rules" "master_sg_rules" {
  113. security_group_id = exoscale_security_group.master_sg.id
  115. # SSH
  116. ingress {
  117. protocol = "TCP"
  118. cidr_list = var.ssh_whitelist
  119. ports = ["22"]
  120. }
  122. # Kubernetes API
  123. ingress {
  124. protocol = "TCP"
  125. cidr_list = var.api_server_whitelist
  126. ports = ["6443"]
  127. }
  128. }
  130. resource "exoscale_security_group" "worker_sg" {
  131. name = "${var.prefix}-worker-sg"
  132. description = "security group for kubernetes worker nodes"
  133. }
  135. resource "exoscale_security_group_rules" "worker_sg_rules" {
  136. security_group_id = exoscale_security_group.worker_sg.id
  138. # SSH
  139. ingress {
  140. protocol = "TCP"
  141. cidr_list = var.ssh_whitelist
  142. ports = ["22"]
  143. }
  145. # HTTP(S)
  146. ingress {
  147. protocol = "TCP"
  148. cidr_list = ["0.0.0.0/0"]
  149. ports = ["80", "443"]
  150. }
  152. # Kubernetes Nodeport
  153. ingress {
  154. protocol = "TCP"
  155. cidr_list = var.nodeport_whitelist
  156. ports = ["30000-32767"]
  157. }
  158. }
  160. resource "exoscale_ipaddress" "ingress_controller_lb" {
  161. zone = var.zone
  162. healthcheck_mode = "http"
  163. healthcheck_port = 80
  164. healthcheck_path = "/healthz"
  165. healthcheck_interval = 10
  166. healthcheck_timeout = 2
  167. healthcheck_strikes_ok = 2
  168. healthcheck_strikes_fail = 3
  169. }
  171. resource "exoscale_secondary_ipaddress" "ingress_controller_lb" {
  172. for_each = exoscale_compute.worker
  174. compute_id = each.value.id
  175. ip_address = exoscale_ipaddress.ingress_controller_lb.ip_address
  176. }
  178. resource "exoscale_ipaddress" "control_plane_lb" {
  179. zone = var.zone
  180. healthcheck_mode = "tcp"
  181. healthcheck_port = 6443
  182. healthcheck_interval = 10
  183. healthcheck_timeout = 2
  184. healthcheck_strikes_ok = 2
  185. healthcheck_strikes_fail = 3
  186. }
  188. resource "exoscale_secondary_ipaddress" "control_plane_lb" {
  189. for_each = exoscale_compute.master
  191. compute_id = each.value.id
  192. ip_address = exoscale_ipaddress.control_plane_lb.ip_address
  193. }